search

pallets / jinja

A very fast and expressive template engine.
https://jinja.palletsprojects.com
BSD 3-Clause "New" or "Revised" License
10.33k stars 1.62k forks source link

Mark output of Template(..., autoescape=True).render() as safe #2003

Open haxtibal opened 3 months ago

haxtibal commented 3 months ago

Consider this minimal example:

from jinja2 import Template

inner = Template('<b>{{ first_name }}</b> {{ last_name }}', autoescape=True).render(first_name='John', last_name="Doe")
outer = Template('Hello,<br/>{{ name }}!', autoescape=True).render(name=inner)
print(outer)

It results in "Hello,<br/>&lt;b&gt;John&lt;/b&gt; Doe!". We have to explicitly mark inner as safe with markupsafe.Markup(inner) or | safe to produce the wanted output "Hello,<br/><b>John</b> Doe!".

The Template knows inner is created with autoescape=True. Couldn't it mark the result of render automatically as safe?

FWIW, the documentation has a related sentence

Jinja functions (macros, super, self.BLOCKNAME) always return template data that is marked as safe.